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Introduction 


The Information Commissioner is producing a direct marketing code 
of practice, as required by the Data Protection Act 2018. A draft of 
the code is now out for public consultation. 


The draft code of practice aims to provide practical guidance and 
promote good practice in regard to processing for direct marketing 
purposes in compliance with data protection and e-privacy rules. 
The draft code takes a life-cycle approach to direct marketing. It 
starts with a section looking at the definition of direct marketing to 
help you decide if the code applies to you, before moving on to 
cover areas such as planning your marketing, collecting data, 
delivering your marketing messages and individuals rights. 


The public consultation on the draft code will remain open until 4 
March 2020.The Information Commissioner welcomes feedback on 
the specific questions set out below. 


You can email your response to directmarketingcode@ico. org.uk 
Or print and post to: 


Direct Marketing Code Consultation Team 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the consultation, please 


email the Direct Marketing Code team, 


Privacy statement 

For this consultation we will publish all responses received from 
organisations except for those where the response indicates that they 
are an individual acting in a private capacity (eg a member of the 
public). All responses from organisations and individuals acting ina 
professional capacity (eg sole traders, academics etc) will be published 
but any personal data will be removed before publication (including 
email addresses and telephone numbers). 


For more information about what we do with personal data please see 
Our privacy notice 


Qi Is the draft code clear and easy to understand? 


O Yes 
X No 


If no please explain why and how we could improve this: 


General 

The document as a whole would benefit from clearer distinctions between specific requirements 
relating to direct marketing in PECR, and the requirements that apply under the GDPR to processing 
personal data. 


It is important to clearly distinguish between PECR direct marketing provisions, the purpose of which is 
to (broadly) restrict unsolicited electronic marketing communications, and the GDPR, the purpose of 
which is (broadly) to protect personal data. The definitions of ‘direct marketing’ in the draft Code 
conflate the two, which is unhelpful and potentially confusing. Not all ‘personalised’ advertising that is 
targeted based on personal data would constitute ‘unsolicited communication’, especially where the 
advertising is an integral part of the service being sought/delivered, rather than being a separate 
activity in itself (as with a direct mailing, for example). 


Scope — ‘personalised’ advertising. 

We fully recognise that PECR regulation 6, and the GDPR apply to digital advertising activities that 
involve storage of or access to information on a device, and/or processing of personal data. However, 
the blanket application of all other direct marketing provisions to any ‘personalised’ advertising, as 
envisaged on page 87 of the draft Code, is not practicable (especially when there is no direct 
connection between the individual and the advertiser) or proportionate, and unlikely to be in the best 
interests of the consumer. Nor is it clear to us that this is what the law intends. 


Some digital ads are targeted on the basis of information that directly identifies an individual, e.g. an 
email address (which can be used alone or in combination with other information). However, not all ads 
are targeted in this way. Many ads are targeted on the basis of identifiers that are pseudonymised, 
including cookies, mobile ad IDs (MAID), and tokenised emails (and these identifiers differ between 
companies for the same ‘user’). These identifiers do not in themselves directly identify particular 
individuals and therefore ads that are targeted on this basis should not be characterised as ‘direct 
marketing’. Individuals already have extensive rights and protections in relation to this type of targeting 
arising from the requirements in PECR regulation 6 and the GDPR. 


It should also be recognised that ‘targeting’ based on personal data can be carried out in different 
ways. For example, by targeting a user with a specific ad (e.g. advertising a product to a user — via a 
cookie ID — who has previously visited a retailer’s site), or by showing an ad to every user that falls into 
a predetermined audience, based on characteristics set by the advertiser, e.g. promoting a new car 
model to all users on a site or platform who fall into a certain age bracket and who have indicated an 
interest in cars. 


These distinctions (direct vs indirect identifiers and one-to-one vs one-to-many marketing) should be 
reflected in the scope and applicability of the aspects of the code of practice that relate to the PECR 
direct marketing provisions and the ICO’s suggested good practice — there should be a more flexible 
approach where privacy-enhancing methods are used as part of targeting. 

(cont.) 


To illustrate this point using a specific example, the draft Code covers consent withdrawal and opting 
out of or objecting to direct marketing. We do not agree that, for example, withdrawal of consent to 
‘receive’ (i.e. see) an ad in one place online, or conversely that objecting to e.g. direct mailings or 
telephone calls. constitutes a withdrawal of consent or objection to seeing any future ads from that 
advertiser anywhere online. We would also question also whether this is likely to be the user’s intention 
or expectation. Where the data used for targeting does not directly identify the user and/or there is no 
direct means of communication back to the advertiser (allowing removal from a direct marketing list or 
a suppression), and/or where the user is not known to the site, platform, etc. (e.g. through an account 
login) it would not be possible in practice to treat a withdrawal of consent/objection to seeing 
advertising on an ad-funded services as applying to all methods of direct marketing. Notwithstanding 
those points, it is also unclear from the draft Code how this position interplays with Articles 11 and 12 
of GDPR, which read together qualify the obligations of controllers when dealing with the exercise of 
data subjects’ rights by data subjects which the controller is not in a position to identify. 


There is also a risk that by describing all ‘personalised’ targeted online advertising as direct marketing, 
this will cause confusion and misunderstanding about what is stated in recital 47 of GDPR (i.e. ‘The 
processing of personal data for direct marketing purposes may be regarded as carried out for a 
legitimate interest’) as it applies to direct marketing via online advertising. 


Data from other sources (p. 48) 

The draft Code does not address scenarios whereby whoever has acquired data (assuming that the 
Article 14 requirements have not already been met) does not hold a person’s personal details and is 
therefore not in a position to ‘notify’ them in advance of the activation of the data (business-to-business 
services, for example, that use indirect identifiers as a core reference point). To contact these 
individuals in advance of the data being activated is likely in some cases to be impossible, at least 
without acquiring more personal data, and/or to constitute disproportionate effort. 


Q2 Does the draft code contain the right level of detail? (When 
answering please remember that the code does not seek to 
duplicate all our existing data protection and e-privacy guidance) 

Oh Yes 

X No 


If no please explain what changes or improvements you would like to 
see? 


How long consent lasts (p. 41) 

The Code (and the suggested good practice) should reflect that the appropriate ‘refresh’ period for 
consent (whether PECR consent or GDPR consent) would be addressed by the organisation’s own 
policies, including data storage and retention policies. In developing these policies, the appropriate 
length of time for consent to last could be influenced by factors such as the purpose and nature of what 
is being consented to, and the method of identification of the individual (e.g. logged-in users with 
accounts vs users identified only by device identifiers such as cookies). 


‘Solely automated decisions’ (p. 58-59) 

The draft code gives examples of where direct marketing could have a ‘legal or ‘similarly significant 
effect’ and cites ‘profiling to target vulnerable groups or children’. The description of ‘profiling’ on page 
57 includes ‘segmenting customers into different categories based on perceived characteristics’. 


The Code should be more precise in relation to profiling relating to vulnerable groups or children. The 
purpose of the profiling is relevant to whether it could produce a legal or similarly significant effect. For 
example, a public information ad campaign may be targeted at either of these groups without having 
such an effect. These groups may also be profiled in order to exclude them from ad campaigns, 
including — but not exclusively — to meet regulatory requirements. This should not be constituted as 
activity that in and of itself engages Article 22 and it would be beneficial for the Code to be more 
specific on this point. 


It would be helpful for the Code to be more specific about the meaning of the term ‘intrusive profiling’ 
(p.58) for the purposes of the Code and whether and how this relates to the concept of having a ‘legal 
or similarly significant effect’. 


Q3 Does the draft code cover the right issues about direct marketing? 


No 


If no please outline what additional areas you would like to see 
covered: 


Q4 Does the draft code address the areas of data protection and e- 
privacy that are having an impact on your organisation’s direct 
marketing practices? 


If no please outline what additional areas you would like to see covered 


Q5 Isit easy to find information in the draft code? 


No 


If no, please provide your suggestions on how the structure could be 
improved: 


Q6 Do you have any examples of direct marketing in practice, good or bad, 
that you think it would be useful to include in the code 


x Yes 
Q No 


If yes, please provide your direct marketing examples : 


The EDAA AdChoices Programme establishes good practice for all EU and EEA markets to enhance 
transparency and user control for online behavioural advertising (OBA). This framework applies to 
advertising targeted at any user. 


The initiative is based upon seven key principles: notice, user choice, data security, sensitive 
segmentation (for example, it requires participating businesses to agree not to create ‘interest 
segments’ to specifically target children 12 and under), education, compliance and enforcement, 
and review. A copy of the EU industry Framework and the full set of principles can be found at: 
http://edaa.eu/european-principles/. 


(Cont.) 


At the heart of this work is a symbol or icon (see below — often known as the ‘AdChoices’ icon) that 
appears in or around the advertisements on sites, as well as on site pages themselves. 


When a user clicks on the icon he or she will be able to find out more about the information collected 
and used to show them the ad and which companies are processing their data for this purpose. In 
2018, over 159bn icons were delivered by approved providers across Europe, giving consumers 
significant opportunities to manage or control their online advertising preferences (see 


The icon also links to ways for internet users to manage their interests, such as via privacy dashboards 
or ad preference managers. It also links to a pan-European website — www.youronlinechoices.eu — 

with helpful advice, tips to help protect privacy and a control page where you can turn off behavioural 
advertising. The UK version of the website is at www.youronlinechoices.eu/uk. In 2018 there were on 
average 2.1 million unique visitors to www.youronlinechoices.eu every month (up from 1.9 million in 
2017) (see activity report, linked above. This number does not include those delivered by companies 
that integrate the icon ‘in house’.) 


The EU industry initiative is administered by the European Interactive Digital Advertising Alliance 
(EDAA) www.edaa.eu. The EDAA programme is integrated with national advertising self-regulatory 
organisations who handle complaints. In the UK, 

the ASA administers OBA consumer complaints and in 2013 rules on OBA were introduced to the UK 
CAP Code. These were updated in 2018 to reflect the introduction of the GDPR. 


It should be noted that a number of the aspects covered by the Framework (such as notice, choice, 
and sensitive segmentation) are now covered by the GDPR and the Framework is undergoing a 
process of review and evolution in light of that, including to ensure that it aligns with the digital 
advertising industry’s Transparency and Consent Framework. Nevertheless, all companies who 
engage in OBA should be encouraged to participate. 


Further information on the initiative is available: 


e the EDAA’ s explanatory video a 


e EDAA overview and activity nase (2018) https://www TEk com/policy/edaa-2018-activity-report 


Q7 


Do you have any other suggestions for the direct marketing code? 


‘Enforcement’ (p. 11) 

The draft Code says: ‘There is no penalty if you fail to adopt good practice recommendations, as long 
as you find another way to comply with the law.’ This language should be changed. The use of the 
word ‘fail’ contradicts what the text says about the status of these recommendations, and not adopting 
them should not be characterised as a ‘failure’. We suggest that ‘Do not adopt’ would be more 
appropriate. 


Conditional access (ps. 37 and 88) 

We welcome the ICO’s use of qualifying language in describing the issues around conditionality of 
access. We note that this is an area that the ICO has indicated it is continuing to consider, and is a 
topic that has also arisen in the context of the ICO’s Update report into ad tech and RTB, and we 
welcome the opportunity to continue to explore this complex and sensitive topic with the ICO. 


Terminology 
The document refers in various places to the ‘direct marketing rules’. The document should define 
specifically what this term means. 


Legal bases 

As a matter of principle we do not believe that the ICO should be prescriptive about which legal bases 
are or are not available for a particular processing activity. This is rightly a decision for data controllers 
to take and to be accountable for. We do not agree that ‘if PECR requires consent then in practice 
consent will be your lawful basis under the GDPR’. 


We see PECR and its scope (privacy of electronic communications) as separate to the GDPR’s scope 
(personal data) and the Code should reflect that (as stated under question 1). PECR Regulation 6 (1) 
states that: 


... a person shall not store or gain access to information stored, in the terminal equipment of a 
subscriber or user unless the requirements of paragraph (2) are met... 


Paragraph (2) goes on to describe the consent mechanism, and the GDPR specifies what constitutes 
consent. 


We are in no doubt as to consent being required for access and storage under PECR. However, the 
prohibitions set out in PECR Regulation 6 (1) apply only to those instances in which information is 
actually stored or accessed on the user terminal itself. In our view, storage and access for the purpose 
of dropping cookies (or similar technologies) is separate from subsequent processing of personal data 
with reference to those cookies (and indeed, the two are regulated by two different legislative 
instruments at EU level and under UK law). Some data processing may also be carried out without 
reference to the cookie (or other similar technology). 


As such, our view is that subsequent processing of personal data is subject to the legal basis 
provisions of the GDPR. Legitimate interest is therefore a possible legal basis for processing personal 
data in these circumstances (if the other conditions for its use set out in the GDPR are met). It is also 
important that each data processing purpose is considered separately, and an appropriate legal basis 
determined and established for each — which may be consent, but may also be legitimate interests 
(subject to the relevant conditions and requirements for using this legal basis). 


(Cont.) 


Lookalike audiences and controllership 

The draft Code recognises (p.91) that such activities are complex in terms of data protection, which is 
welcomed. However, we do not believe that the conclusion that ‘it is likely that both you [the marketer] 
and the platform are joint controllers for this activity’ is supported by the rationale described in the draft 
Code. It is possible that the marketer and the service provider could both be controllers independently 
of one another, and the Code should recognise that. It would be preferable if the Code instead made 
clear that the (complex) issue of controllership should be considered, and give a range of 
potential/example conclusions, rather than saying that joint controllership is the likely conclusion — 
particularly because the details will vary between service providers and based on other factors. 


Other 

There are a number of ongoing conversations between the digital advertising industry (and its 
component stakeholders), and the ICO, on issues relating to ad tech and RTB, including around key 
issues such as cookie walls — see above — and the legitimate interest legal basis. The ICO should take 
into account the progress of those discussions in considering the timing of the implementation of the 
Direct marketing code of practice. 


It would be helpful if the Code could indicate the future status of EDPB opinions cited or relied on in 
this guidance following the end of the Brexit transition period, and whether (and when) the guidance 
will be updated in light of that. 


About you 


Q8 Are you answering as: 


An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

An individual acting in a professional capacity 

On behalf of an organisation 

Other 


Please specify the name of your organisation: 


akad Oð 


IAB UK 


If other please specify: 


Q9 How did you find out about this survey? 


xX] 


ICO Twitter account 
ICO Facebook account 
ICO LinkedIn account 
ICO website 

ICO newsletter 

ICO staff member 
Colleague 


sg a 


Personal/work Twitter account 
Personal/work Facebook account 


a FSV 


Personal/work LinkedIn account 
Other 
If other please specify: 


| Press release | 


Thank you for taking the time to complete the survey 


xX] 


